Delegation not working

Mark Andrews Mark_Andrews at isc.org
Fri May 8 00:18:54 UTC 2009 

In message <0E6DC7D76AA144A4B068E4B55202615E at netadmin.bart.gov>, "Mike Bernhardt" writes:
> Do you mean that BIND *COULD* query from a low-numbered random port? I
> thought applications that don't source from a specific port always sourced
> from > 1023?

	BIND is not the only application that makes queries.  POSIX
	is not the only platform that makes queries.  Even if you
	have a POSIX box middleware may change the port to something
	less than 1024.

	When you restrict the source ports to something other than
	the entire range you are making lots of assumptions about
	the sender and all the middleware involved that actually
	don't hold true in many cases.

	Your problem was caused by a misconfigured firewall.  That
	firewall should be fixed.  It remains a potential source
	of problems until it is fixed.

	Mark
 
> -----Original Message-----
> From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org] 
> Sent: Thursday, May 07, 2009 3:33 PM
> To: Mike Bernhardt
> Cc: 'Chris Buxton'; bind-users at lists.isc.org
> Subject: Re: Delegation not working 
> 
> 
> In message <F43437AD793B466C9F4F93830225F3EC at netadmin.bart.gov>, "Mike
> Bernhardt" writes:
> > I found the problem. After the various delegation config issues were
> cleared
> > and it still didn't work, I started doing some traces. The problem turned
> > out to be
> > 1. We had a query source port of 53 configured that was left over from
> some
> > old legacy compatibility issues.
> > 2. The firewall between us and the subdomain authority was only allowing
> > queries from high-numbered ports.
> > 3. The dns rule in the firewall was configured to not log, so the drops
> > didn't show up when I looked previously.
> > 
> > I removed the query source-port option and all is now good. Thank you to
> > Chris Buxton for all of his patience. I learned a few things along the
> way.
> 
> 	I hope you also fixed the firewall not to care about the
> 	source port of DNS queries.  There is no requirement for
> 	DNS queries to be sourced from any particular port range.
> 
> 	Mark
>  
> > Mike
> > 
> > -----Original Message-----
> > From: Chris Buxton [mailto:cbuxton at menandmice.com] 
> > Sent: Thursday, May 07, 2009 1:19 PM
> > To: Mike Bernhardt
> > Cc: bind-users at lists.isc.org
> > Subject: Re: Delegation not working
> > 
> > Mike,
> > 
> > That was two separate commands.
> > 
> > dig +norec -x 10.0.2.252 @148.165.126.87
> > 
> > and
> > 
> > dig +norec -x 10.0.2.252 @10.2.242.222
> > 
> > So most of what you sent back is gibberish. However, at the top, there  
> > is the message "connection timed out; no servers could be reached".  
> > There's at least part of your problem.
> > 
> > Chris Buxton
> > Professional Services
> > Men & Mice
> > 
> > On May 7, 2009, at 12:50 PM, Mike Bernhardt wrote:
> > 
> > > That gave me:
> > > dig +norec -x 10.0.2.252 @148.165.126.87 dig +norec -x 10.0.2.252
> > > @10.2.242.222
> > > ;; connection timed out; no servers could be reached
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34563
> > > ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
> > >
> > > ;; QUESTION SECTION:
> > > ;dig.                           IN      A
> > >
> > > ;; AUTHORITY SECTION:
> > > .                       162058  IN      NS      C.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      D.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      E.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      F.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      G.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      H.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      I.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      J.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      K.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      L.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      M.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      A.ROOT-SERVERS.NET.
> > > .                       162058  IN      NS      B.ROOT-SERVERS.NET.
> > >
> > > ;; ADDITIONAL SECTION:
> > > A.ROOT-SERVERS.NET.     599086  IN      A       198.41.0.4
> > > A.ROOT-SERVERS.NET.     552012  IN      AAAA    2001:503:ba3e::2:30
> > > B.ROOT-SERVERS.NET.     35325   IN      A       192.228.79.201
> > > C.ROOT-SERVERS.NET.     599099  IN      A       192.33.4.12
> > > D.ROOT-SERVERS.NET.     599100  IN      A       128.8.10.90
> > > E.ROOT-SERVERS.NET.     599101  IN      A       192.203.230.10
> > > F.ROOT-SERVERS.NET.     599102  IN      A       192.5.5.241
> > > F.ROOT-SERVERS.NET.     552012  IN      AAAA    2001:500:2f::f
> > > G.ROOT-SERVERS.NET.     599090  IN      A       192.112.36.4
> > > H.ROOT-SERVERS.NET.     599091  IN      A       128.63.2.53
> > > H.ROOT-SERVERS.NET.     552012  IN      AAAA    2001:500:1::803f:235
> > > I.ROOT-SERVERS.NET.     599092  IN      A       192.36.148.17
> > > J.ROOT-SERVERS.NET.     208142  IN      A       192.58.128.30
> > > J.ROOT-SERVERS.NET.     208142  IN      AAAA    2001:503:c27::2:30
> > >
> > > ;; Query time: 0 msec
> > > ;; SERVER: 148.165.30.30#53(148.165.30.30)
> > > ;; WHEN: Thu May  7 12:52:39 2009
> > > ;; MSG SIZE  rcvd: 504
> > >
> > >
> > > ; <<>> DiG 9.3.4 <<>> +norec -x 10.0.2.252 @148.165.126.87 dig  
> > > +norec -x
> > > 10.0.2.252 @10.2.242.222
> > > ; (1 server found)
> > > ;; global options:  printcmd
> > > ;; connection timed out; no servers could be reached
> > >
> > > -----Original Message-----
> > > From: Chris Buxton [mailto:cbuxton at menandmice.com]
> > > Sent: Thursday, May 07, 2009 12:50 PM
> > > To: Mike Bernhardt
> > > Cc: bind-users at lists.isc.org
> > > Subject: Re: Delegation not working
> > >
> > > On May 7, 2009, at 12:37 PM, Mike Bernhardt wrote:
> > >> And dig gives me this:
> >> dig +norec @athena -x 10.0.2.252
> > >>
> > >> ;; QUESTION SECTION:
> > >> ;252.2.0.10.in-addr.arpa.       IN      PTR
> > >>
> > >> ;; AUTHORITY SECTION:
> > >> 0.10.in-addr.arpa.      14400   IN      NS      mrep-02.adm.bart.gov.
> > >> 0.10.in-addr.arpa.      14400   IN      NS      dhcp-01.adm.bart.gov.
> > >>
> > >> ;; ADDITIONAL SECTION:
> > >> dhcp-01.adm.bart.gov.   86400   IN      A       148.165.126.87
> > >> mrep-02.adm.bart.gov.   86400   IN      A       10.2.242.222
> > >
> > > That looks perfect.
> > >
> > >> Without +norec, it times out.
> > >
> > >
> > > OK, now we're getting somewhere. Why would the server "athena" have
> > > trouble querying those two servers? Try this from "athena" itself:
> > >
> > > dig +norec -x 10.0.2.252 @148.165.126.87
> > > dig +norec -x 10.0.2.252 @10.2.242.222
> > >
> > > Chris Buxton
> > > Professional Services
> > > Men & Mice
> > >
> > 
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list